Hi,
I'm trying to Update Network Wireless Ssid Firewall L3 Firewall Rules via API.
API return error "Destination address must be an IP address or a subnet in CIDR form (e.g. '192.168.1.0/24' ora 'any')" when Firewall rules include Local LAN traffic roule like this:
{
"comment": "Wireless clients accessing LAN",
"ipVer": "ipv4",
"policy": "deny",
"protocol": "Any",
"destPort": "Any",
"destCidr": "Local LAN"
}
If you simply "pop" that entry in the Firewall rule payload, so that you only send actual rules and not that rule, will the POST succeed?
That rule can not be removed. It will always be there, so I wonder if you can update the rules, without actually updating that rule, as well.
Yes, without that rule update work correctly. But if I need to update rule to permit/deny access to local LAN?
I could suspect you might be hitting a bug in the API, so it might be worthwhile to submit a ticket with Meraki Support, and have their take on it.
If you leave out the destCidr key/val pair, does the POST succeed aswell?
You can't change the default rule. Instead, you have to add a rule above it to do a deny/any/any.
Yeah, that's correct, but from what I gather form @Luca_1s post, it's the Local LAN access for Wireless Clients rule, and not the Default rule. 🙂
I'v just hit the exact same issue! lol. Is there a way via API to change the allow/deny status of this rule like you can in the dashboard?
Yeah not finding a way to update that dropdown from allow to deny for traffic to Local LAN. The best i came up for was to add three seperate rules for each of the private class subnets. Hope this won't block the gateway for the client.
rules=[{'comment': 'Wireless clients accessing LAN', 'ipVer': 'ipv4', 'policy': 'deny', 'protocol': 'any', 'destPort': 'Any', 'destCidr': '10.0.0.0/8'},
{'comment': 'Wireless clients accessing LAN', 'ipVer': 'ipv4', 'policy': 'deny', 'protocol': 'any', 'destPort': 'Any', 'destCidr': '172.16.0.0/12'},
{'comment': 'Wireless clients accessing LAN', 'ipVer': 'ipv4', 'policy': 'deny', 'protocol': 'any', 'destPort': 'Any', 'destCidr': '192.168.0.0/16'}]
I had the same issue with the 2 default rules. My last rule is a DENY ANY ANY, and I just want "my" rules copied over, not the defaults (don't need to since they're already going to be there). Someone suggested adding this in my code and it worked flawlessly.